Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

MongoDB Patches Remote Denial-of-Service Vulnerability

Popular NoSQL database MongoDB has released an update that patches a critical denial-of-service vulnerability.

MongoDB, a popular NoSQL database used in big data and heavy analytics environments, has patched a serious denial-of-service vulnerability that is remotely exploitable.

Companies using the default installation of MongoDB, which does not require authentication to access the database, are urged to update immediately to a patched version, and set up authentication. Hackers using a Shodan query or scanning the Internet for vulnerable installations, can easily find MongoDB servers online. According to the MongoDB website, large organizations such as MetLife, Bosch, Expedia, and The Weather Channel have the database in production for a variety of uses.

Researchers at Fortinet’s FortiGuard Labs discovered the vulnerability in separate areas of MongoDB on Feb. 20 and 23 respectively, and disclosed privately immediately to MongoDB, which made updates available on March 17.

“A potential attacker doesn’t have to be authenticated or have rights to the database to exploit the vulnerability,” said Aamir Lakhani, security strategist, FortiGuard Labs. “All they have to do is send a crafted packet, a particular regex query, to crash the database.”

According to an advisory on the Fortinet website, the vulnerability is in an old PCRE library (8.30) of regular expressions used in MongoDB querying. MongoDB patched the library in version 3.0.1 and 2.6.9, the last two major releases in production. Up-to-date versions of MongoDB ship with a patched version of PCRE (8.36 and beyond).

“I would say a skilled attacker who understands regex wouldn’t have too much of a difficult time with this attack, especially after examining the code,” Lakhani said. “Some things would stand out with a skilled attacker. And at some point as usually happens with these things, someone will automate it or develop a Metasploit plugin that will make an exploit easy to execute.”

Cutting into that simplicity would be the enablement of authentication.

“You can set up Mongo to ensure authentication is required. It’s the recommended best practice,” Lakhani said. “If Mongo is set up in a way that does not allow for anonymous access, at that point, an anonymous user cannot run an attack. But if a user has legitimate credentials, they can execute the same attack.”

The Fortinet exploit is basically a regular expression that meets a number of conditions that would cause the database to crash. Variants of the crafted regex work, Fortinet said, but it did not disclose the details.

“There are several ways to carry out an attack against this vulnerability,” Lakhani said. “The most common is to connect to the MongoDB server through a website query or using a MongoDB client tool to connect to the server. The attacker puts in a regex string with an input field where MongoDB reads it and processes the input. As soon as it looks at the packet, the server is taken down.

“The risk is that system is down until services are restarted, and sometimes that requires manual intervention from an administrator,” Lakhani said.

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.